!update-4395[1].0000

[mmejido]

Hi everyone. i've been pulling my hair out over this, with no solution.

this afternoon i downloaded a program and got hit with a virus. I've literally been on the 'net for the past 8 hours searching the name of it, and following other people's instructions on how to deal with it. Its still there

ok. forgive me if i am not giving the proper logfiles - i believe anyone that helps me is going to need at least the hijack this log? that's what i'll be posting. if you need more, please let me know!

As we speak, AVG just found I have:

1) !update.exe c:\Documents and Settings\Michael\Local Settings\Temp\!update.exe

2) !update-4395[1].0000 c:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\4JWFKTYL\!update-4395[1].0000


i've been running AVG, Ad-Aware, VundoFix, HijackThis, everything i can possible think of, and its all still there. sigh


sorry. the txt file is so big i put it on my website:
http://www.michaelmejido.com/hjt.txt


Can anyone help? thanks for your time

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your system is infected with a variety of malware.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of mmejido only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[mmejido]

thank you Howard. I will doing all this right away, but might take me a day or so because i work full time. I will be getting on all this right now though.

 

[Bobbye]

Since you're short of time, take a look at this similar thread:
https://www.techspot.com/vb/topic48164.html

If this is being shown as a virus, it's this:
Note: update.exe is registered as the W97M.Exedrop downloader. This process usually comes bundled with a virus or spyware and its main role is to do nothing other than download other viruses/spyware to your computer.

But it can also be a process belonging to an advertising program, an well as legitimate process for Spyware Doctor Internet Security Product.

And both of the files you referenced can be deleted as they are temporary internet files and .tmp files.

 

[mmejido]

ok. my apologies for this taking so long.

here are the three logs you wanted:
http://www.michaelmejido.com/htj.txt
http://www.michaelmejido.com/avgantispy.txt
http://www.michaelmejido.com/combo.txt


the only thing i couldn't get working was adaware. it would always crash no matter how many times i tried installing it.

the AVG antirootkit scan showed nothing.

even though the antispy log shows that no action was taken on anything, i did quarentine the 12 things that were 'high' risk.

I actually had thought i wiped my computer clear of everything halfway through the 15 steps... but i'm noticing that XP is hanging mightily while it loads up (it'll play the XP intro sound, and then hang for like 20 seconds while something loads up.. god only knows what. i'd like to think its all the anti virus software that i now have on the computer, but it might not be).

during the actual operation of the computer, everything seems ok. again, the only symptom is the the computer taking alot longer to load up Xp and stalling during the 'welcome' screen.

Also, hijack this is really showing alot of stuff that probably shoudln't be there.


ok Howard, anything you can suggest me to do, i will do

- Michael

 

[howard_hopkinso]

Download Vundofix from HERE.

Double click the Vundofix.exe to run it.

Right click in the vundofix window and click add files.

Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

These are the filepaths you need to enter into Vundofix.

C:\WINDOWS\system32\qhcbbi.dll
C:\WINDOWS\SYSTEM32\winjyp32.dll

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Viewpoint Manager Service
SymWMI Service (SymWSC)

Close the services window.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Viewpoint
Viewpoint Manager

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

w?auboot.exe
ViewpointService.exe
ViewMgr.exe
mgrs.exe
PowerReg Scheduler V3.exe
SymWSC.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {4BF1A7C2-440D-3C8D-2174-3EB67E49A2C8} - C:\WINDOWS\system32\qhcbbi.dll

O2 - BHO: (no name) - {E5C75780-B092-420E-9928-19D3F0EFF604} - C:\WINDOWS\system32\pmnno.dll (file missing)

O4 - HKLM\..\Run: [smgr] mgrs.exe

O4 - HKCU\..\Run: [Ggcy] C:\WINDOWS\system32\??pPatch\w?auboot.exe

O4 - Startup: PowerReg Scheduler V3.exe

Fix all O18 - Protocol: entries.

O20 - Winlogon Notify: nnnomml - nnnomml.dll (file missing)

O20 - Winlogon Notify: winjyp32 - C:\WINDOWS\SYSTEM32\winjyp32.dll

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Viewpoint<Delete the entire folder.
C:\Program Files\Common Files\Symantec Shared<Delete the entire folder.
C:\WINDOWS\system32\??pPatch<Delete the entire folder.

PowerReg Scheduler V3.exe<Search your system for this file and delete all instances found.
mgrs.exe<Search your system for this file and delete all instances found.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log as an Attachment.

Regards Howard

This thread is for the use of mmejido only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[mmejido]

ok. just did all that.

1) deleted qhcbbi.dll & winjyp32.dll

2) viewpoint manager serivce & symWMI were not in services.msc

3) viewpoint & viewpoint manager were not there to be removed as programs

4) all the programs you asked me to delete in the taskbar were not there

5) none of the hjt entries were there.

6) deleted the entire viewpoint & Symantic Shared folders. ??pPatch folder was not there.

 

[howard_hopkinso]

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log as an Attachment.

Unfortunately, you have posted a HJT log from safe mode. Please post a HJT log from normal mode.

Regards Howard

This thread is for the use of mmejido only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[mmejido]

ok, here you go.

i'd still tell you that the loadup is funky. and i see it loading up a window in the beginning, and it immediately dissapears. i know its still doing *something* screwy.

here's the hjt log in normal mode.

 

[howard_hopkinso]

Your HJT log is clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

The items below are optional and can safely be fixed with HJT. This should help to speed up your system. The more items you have running on startup, the slower your system will boot.

Feel free to fix any or all the items below.

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden

O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Gmail Notifier.lnk = C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Click on the fix checked button.

Close HJT.

The Services listed below are also optional. Feel free to disable any or all.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Adobe LM Service
AVG Anti-Spyware Guard
Creative Service for CDROM Access
GEARSecurity
Intel(R) Active Monitor (imonNT)
Windows Media Player Network Sharing Service

Close the services window and reboot your system.

Go and read this thread HERE for info on how to speed up your system.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of mmejido only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[mmejido]

howard i will do all of that as soon as possible.

however i'm noticing yet another problem. xp's time is now military for some reason. right now its saying that my time is 16:01. oy. would you know how to fix that too?

thanks

 

[Bobbye]

Passing, by, saw this and thought I'd let you know:
To change clock back to 12 hour setting>

In Windows XP:
Control Panel> Regional Options> Customize> Time tab>
Change Time format to hh:mm:ss tt for a 12-hour clock.

(Use the lower case hh for the 12 hour clock. HH is for the 24 hour Military Time which is what you will see)

 

[mmejido]

bobby that worked perfectly. thanks. i almost worry about why it got changed in the first place?

howard, i will get working on your instructions asap!

 

[mmejido]

well, things seem to be ok now Howard i will wait a few days before making a final conclusion, but you have definitely helped me greatly. thank you SO much.

you do get paid for this right?

 

[howard_hopkinso]

you do get paid for this right?

Nope, I do it because I enjoy it and nothing more, as do the rest of our Techspot regulars.

Regards Howard